Vlan – Access Multiple VLANs from One Computer

layer3vlan

I inherited a bit of mess and am preparing to redo our IP addressing scheme and also split our network into multiple VLANs.

Possibly something like:

  • 10.1.10.0/24 VLAN 10 VOIP
  • 10.1.20.0/24 VLAN 20 Users
  • 10.1.30.0/24 VLAN 30 Management

The address scheme isn't really the question and the above is just an example.

What I have not been able to get my head around is this:

How do I access all VLANs from my Macbook?

I had to hit the ground running with this so I haven't had time yet for a proper course of study (will start on my CCNA soon). The problem with learning by total immersion is that there are often holes in my knowledge.

I gather that there are 3 options:

  1. Add multiple aliases to my laptop NIC and do VLAN trunking on the port the NIC is connected to. That is still pretty fuzzy to me.

  2. Connect to a layer 3 switch and route between the VLANs. Our switches are all layer 2/3 (static layer 3 routes) but I can add a full layer 3 switch if need be.

  3. Connect my laptop NIC to a router and route based on subnet. Something like a Cisco 2811 or 2821 with an multi-port ethernet card.

With all that said, what is the proper way to do this?

Best Answer

Add multiple aliases to my laptop NIC and do VLAN trunking on the port the NIC is connected to

Your keywords here are "tagged VLAN". You might set up a switch port as a tagged member of all three VLANs and set up virtual interfaces using the VLAN tag identifiers in your Mac OS X instance, basically leaving you with three virtual interfaces in three virtual networks.

If you ever wanted intercommunication between the three networks, this is not what you should do.

Connect to a layer 3 switch and route between the VLANs.

To nit-pick, you would not be able to access "the VLANs" in this case. Your IP packets would be routed to the destinations in these VLANs (and given that routing is set up correctly on the receivers, their response packets would be routed back), but you would not get any of the non-IP or broadcast traffic from these networks as long as you are not directly a member.

This is the preferable option if you plan on interconnecting the networks anyway

Connect my laptop NIC to a router and route based on subnet.

This is not really different from your previous option aside from the fact that you are not using virtual interfaces configured for a VLAN membership (this is what an L3 switch actually is about) but physical interfaces tying up physical Ethernet ports. If you can avoid this, please do.

what is the proper way to do this?

There is no proper way. You do what you need to do.

  • If you are separating the networks in order to keep them separate and to completely prevent inter-network communications, you should not interconnect them by a router in the next step.
  • If you are just doing this to break up your broadcast domains in smaller pieces or in order to be able to control the kind of traffic they are exchanging (segmentation), choose a router (or L3 switch) capable of setting IP filters (mostly called ACLs in Cisco's implementation) according to your needs.
  • If your laptop needs broadcast or non-IP traffic from these networks, you would need to connect it to a port configured as a member (either tagged or untagged) as the router would not forward this kind of traffic to another network.

Choose your poison.

Related Topic